A is wrong
Because we're asked if we can block "entire" HTTP traffic. This is doable by a L4 firewall by disabling port no. 80.
B is wrong
ICMP is a NL protocol, which comes under TL, so we're good.
C is wrong
IP addresses are the characteristics of NL, which comes under TL.
D is right
Because we're asked to manipulate a specific user. We can't do that with a firewall that can see upto TL.
If option A said, block HTTP traffic from a specific user, then A and D would both be right. Intuitively, you can think of it like, blocking entire stuff requires a strong hammer, but blocking a specific thing out of it requires greater sophistication.